- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2020 05:01 AM - edited 05-18-2020 05:13 AM
Hi,
just trying to setup external RADIUS authentication to our Firepower 2110 boxes, we don't have FMC so it's the on box FDM for config.
I've created a security group in AD and the specific policies in the NPS, with the attribute fdm.userrole.authority.admin added to the cisco-av-pair attribute.
When I test authentication I get a success notification
However when attempting to login I am uncusessful
Can anyone advise where I may have gone wrong in setting this up?
EDIT:
Checking the NPS logs I can see it's approved the access request
Many thanks
Rich
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2020 07:42 AM
You're welcome. The RADIUS test is just basically checking shared secret and if the device is valid on the RADIUS server.
I agree it would be useful if it actually processed the full authorization request and checked the result.
Seeing the actual packets often helps us cut through what we think is happening vs. what's actually going on. Back when I was learning ISE seeing the actual attributes and their values was my "ah ha" moment for grokking the computer science term "A-V pair".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2020 06:46 AM
Did you setup NPS to return the Cisco A-V pair "fdm.userrole.authority.admin"? (or .ro or .rw for read-only and read-write users) That's required to make it work. A simple "Access-Accept" won't do it.
I just tested and setup using ISE in my lab and that last bit was the key.
Reference the online help in your FDM:
https://<your FDM address>/#/help/t_configuring_external_authorization_aaa_for_firepower_device_manager_users.html
FDM User with External Authentication
FDM Authorization Result in ISE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2020 06:58 AM
Yeah I did, I don't have ISE unfortunately so am just using windows NPS
FWIW this is the attribute setting in the NPS policy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2020 07:05 AM - edited 05-18-2020 07:06 AM
Hmmm, if NPS is returning that value in the Cisco AV pair it should work.
I'd check with a packet capture on the NPS server filtering to the FTD address. RADIUS is plain text so you should be able to confirm the value is being sent back to FDM in the RADIUS reply message.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2020 07:22 AM
that's a great idea!
I've actually figured it out / fixed it, but I'm going to wireshark anyway for curiosity/professional interests sake.
When I created the NPS policy I added the RADIUS attribute to the network policy rather than the connection policy.
I do find it vexing that when testing FDM reported a success even though it wouldn't work mind.
For any future google searchers, set it in here:
Really appreciate the help!
Cheers
Rich
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2020 07:42 AM
You're welcome. The RADIUS test is just basically checking shared secret and if the device is valid on the RADIUS server.
I agree it would be useful if it actually processed the full authorization request and checked the result.
Seeing the actual packets often helps us cut through what we think is happening vs. what's actually going on. Back when I was learning ISE seeing the actual attributes and their values was my "ah ha" moment for grokking the computer science term "A-V pair".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2025 08:33 AM
This help me thanks-
Did you manage to authenticate users for ssh connection in same way?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2025 05:49 AM
I did it. Same logic applies only, for ssh service-type need to be set to administrative.
and don't use "." in username.
cheers
